Skip to content

Snowflake Native Guide

Learn more about the benefits of Satori for Snowflake and Schedule a demo meeting

Screenshot

It only takes a few minutes to get started with Satori. What you need is listed here:

  • Access to Satori's management console.
  • The hostname of your Snowflake data store, for example: abc123.snowflakecomputing.com.

Step 1 - Adding a Snowflake Data Store to Satori

Screenshot

Perform the following steps to connect Satori to your Snowflake account:

  1. Login to Satori's management console.
  2. Go to the Data Stores view and click Plus button.
  3. Select the Snowflake option.
  4. Enter an informative name for the data store, for example: Sales Data Warehouse.
  5. Enter the hostname of your Snowflake account, for example: abc123.snowflakecomputing.com
  6. Choose a Data Access Controller to use for this data store by selecting the Cloud provider and Region.
  7. Click the Add New Data Store button.
  8. You will be redirected to the Data Stores list view.

Step 2 - Configuring the Snowflake Native Integration

  1. Click on the new data store you created and click the Integration Settings tab.
  2. Check the Native Integration checkbox.

  3. Enter the following connection settings to generate the setup instructions:

    • Username - A new Snowflake user instance with this name will be created for Satori to connect to your Snowflake account.
    • Account Name - The Snowflake account name uniquely identifies a Snowflake account within your organization. For example: myorg-account123. If Satori needs to connect to your Snowflake account via a Private Link, use the private link account name, for example: myorg-account123.privatelink.

      Note: There may be additional steps required to enable private connectivity from Satori to your Snowflake account. For more information, contact your Satori representative or open a support ticket.

    • Warehouse for Satori Queries - Satori uses this warehouse to build the data inventory, classify data and set access policies for users. This field is case-sensitive. To use a case-insensitive warehouse name use capital letters. For example: SATORI_WH.

      Note: Satori recommends provisioning a dedicated warehouse for the Satori workload

    • Role - A new Snowflake role with this name is created for Satori to connect to your Snowflake account. This field is case-sensitive. To use a case-insensitive role name use capital letters. For example: SATORI_ROLE.

Step 3 - Once you have Entered the Connection Settings

  1. Select Generate Setup Instructions.
  2. Copy the generated setup statements and execute them in your Snowflake account.
  3. Click on Test Connection to make sure the connection settings are correct.

Mapping Satori Users to Local Snowflake Users

In the event that the user names in your Snowflake account do not match the user names in your Satori account, you need to map between your Satori user names and your Snowflake user names.

The recommended approach to define this mapping is to add a user attribute to the Satori application in your identity provider, and set the name of this attribute in the Data Store Username Mapping option in the Integration Settings of the Snowflake data store in the Satori management console.

Screenshot

Feature Support Matrix

Not all Satori features are supported by the Standard Snowflake edition. The following table lists all the Satori features and their corresponding Snowflake edition:

Feature Required Snowflake Edition
Audit Log Standard (basic information), Enterprise (detailed information)
User Access Rules Standard
Dynamic Masking Enterprise
Data Filtering Enterprise

Satori Snowflake Roles Design

Satori maps dataset access levels to Snowflake by creating three roles for each dataset, corresponding to the three Satori access levels: read, read-write and full access. Satori uses two options for granting the dataset roles to users, depending on what type of user access rules are created on the dataset.

User-Specific Roles

When creating a user access rule for a specific user, for example: john.smith@acme.com or SRV_ETL_BOT, Satori creates a role for the user with the following naming convention: SATORI__USERNAME.

The SATORI__USERNAME role is granted with the dataset role that corresponds to the access level specified in the access rule.

Screenshot

It is common for users to be represented in Satori by their email address while in Snowflake they are sometimes represented differently. This situation requires mapping satori users to local snowflake users.

Existing Roles

When creating a user access rule for an existing Snowflake role, Satori grants the role with the dataset role that corresponds to the access level specified in the access rule.

In the following example, the SRV_DBT_CORE_PRD role is granted full access to the Customer Demographics dataset in Satori:

Screenshot

Default Role for Users

Satori creates the SATORI_BASE_ROLE on the Snowflake account, which is granted to all users controlled by Satori. You can use the SATORI_BASE_ROLE to grant default permissions to all users, for example, USAGE to a warehouse.

Snowflake-Specific Features

Satori offers a number of unique features that are specific to Snowflake.

Controlling Access to Warehouses

To successfully use data in Snowflake, users require permission to access the tables or views where the data is located, and usage permissions to a Snowflake compute warehouse that execute their queries. To grant access to a warehouse follow these steps:

  1. Create a dataset
  2. Add the warehouse to the list of included locations of the dataset
  3. Add user access rules to the dataset

Controlling Access to Account Roles

You can use Satori to grant users with Snowflake account roles. An example use-case is sharing worksheets or dashboards: when a user (the producer) shares a worksheet with another user (the consumer), the worksheet must be viewed by the consumer using the same role the producer used to create the worksheet. To grant a Snowflake account role to users follow these steps:

  1. Create a dataset
  2. Add one or more roles to the list of included locations of the dataset
  3. Add user access rules to the dataset

NOTE: You cannot add the same Snowflake role to the list of included locations of a dataset, and in a user access rule of the same dataset. This configuration creates a cyclic role dependency and will be rejected by Snowflake.

You can also use Satori to manage the permissions and policies for the role used by users to share worksheets. However, you should create a separate dataset and only include the role in a user access rule, and not in the list of included locations.

Permission and Policy Resolution

The following section explains how Satori selects the correct access rule or security policy when multiple options are available:

Creating Multiple User Access Rules

In most cases, users are granted access to data using a single user access rule for each dataset. However, users can be granted access to data using more than one user access rule for the same Snowflake object.

For example: When one access rule is configured on the user and another access rule is configured on a group the user is a member of, or when creating datasets that include the same Snowflake objects.

Enforcing Multiple Masking Profiles

When multiple masking profiles are enforced, Satori merges the masking rules of all relevant profiles. When more than one masking rule is applied to the same data store location, Satori selects the most accurate masking rule.

For example, when one masking rule is defined on a classification category such as PII, and a second masking rule is defined on a classifier such as EMAIL, Satori will choose the second masking rule.

Enforcing Multiple Data Filtering Policies

When multiple data filtering policies are enforced on the same data store location, Satori merges the policies using a union of the list of values.

For example, when one filtering policy allows a user to view the US and CA values for the country field, and a second filtering policy allows a user to view the FR and UK values for the same field, the user sees all four values: US, CA, FR and UK.

Known Limitations

Common Expression Language (CEL)

The native Snowflake integration only supports CEL expressions that lookup a single user attribute. For example: userAttr("countries").

Unsupported Data Types for Data Classification

Satori does not classify data stored in the following types:

  • VECTOR
  • GEOGRAPHY
  • GEOMETRY
  • VARIANT

Partialy Supported Data Types for Dynamic Masking

Satori will always mask columns of the following types as 0:

  • VARIANT
  • GEOGRAPHY
  • GEOMETRY

Unsupported Data Types for Dynamic Masking

Masking is not supported on columns of the following types:

  • VECTOR

Renaming Objects

Renaming an object in Snowflake will remove the object with the old name from the Data Inventory and a new object with the new name will be created. Any access controls, policies, or manual classifications will not be retained and must be applied to the new object.